Monitor Broker VM Activity - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Learn more about the monitored Cortex XDR Broker VM activities.

Cortex XDR logs entries for events related to the Broker VM monitored activities. Cortex XDR stores the logs for 365 days. To view the Broker VM audit logs, select Settings Management Audit Logs.

To ensure you and your colleagues stay informed about Broker VM activity, you can Configure Notification Forwarding to forward your Broker VM audit logs to an email distribution list or Syslog server.

You can customize your view of the logs by adding or removing filters to the Management Audit Logs table. You can also filter the page result to narrow down your search. The following table describes the default and optional fields that you can view in the Cortex XDR Management Audit Logs table:


Certain fields are exposed and hidden by default. An asterisk (*) is beside every field that is exposed by default.




Log message that describes the action.


Email of the user who performed the action.

Host Name*

Name of any relevant affected hosts.


Unique ID of the action.


This field is not applicable for Broker VM logs.


The result of the action ( Success, Fail, or N/A)


Severity associated with the log:

  • Critical

  • High

  • Medium

  • Low

  • Informational


Date and time when the action occurred.

Type* and Sub-Type*

Additional classifications of Broker VM logs (Type and Sub-Type):

  • Broker VMs:

    • Action on device

    • Add Cluster

    • Applet Activated

    • Applet Configuration

    • Applet connection_test Action

    • Applet Deactivated

    • Applet License Expired

    • Applet Mount Share Action

    • Applet Mount Share Test Action

    • Applet preview Action

    • Applet Scan Now Action

    • Applet Set Configuration

    • Applet Unmount All Shares Action

    • Authentication succeeded

    • Broker Log

    • Cluster Configuration

    • Cluster Failover

    • Cluster health declined

    • Cluster health recovered

    • Cluster Switchover

    • Device configuration

    • Disconnect

    • Register

    • Remove Cluster

    • Remove Device

    • Subscription Created

    • Subscription Deleted

    • Subscription Edited

  • Broker API:

    • Authentication failed

User Name*

Name of the user who performed the action.